Forwarding to Syslog
Syslog refers to System Logging protocol. It is a standard chiefly used by network devices to send events and logs in a particular format to a centralized system for storage and analysis. A Syslog event includes severity level, host IP, timestamps, diagnostics information, and so on.
Sysdig Event Forwarding allows you to send events gathered by Sysdig Secure to a Syslog server.
Configure Syslog Event Forwarding
To forward event data to a Syslog Server:
From the
Settingsmodule of the Sysdig Secure UI, navigate to theEvents Forwardingtab.Click the
Add Integrationbutton.Select
Syslogfrom the drop-down menu.Toggle the
Enabledswitch as necessary. By default, the new integration is enabled.Configure the required options:
Integration Name: Define an integration name.
Address: Specify the Syslog server where the events are forwarded. Enter a domain name or IP address. If a domain name resolves to several IP addresses, the first resolved address is used.
Port: Specify the port number.
Protocol: Choose the protocol depending on the server you are sending the logs to:
RFC 3164: RFC 3164 is the older version of the protocol, default port and transport is 514/UDP.
RFC 5424: RFC 5424 is the current version of the protocol, default port and transport is 514/UDP
RFC 5425 (TLS): RFC 5425 (TLS) is an extension to RFC 5424 to use an encrypted channel, default port and transport is 6514/TCP
UDC/TCP; Define transport layer protocol UDP/TCP. Use TCP for security incidents, as it's far more reliable than UDP for handling network congestion and preventing packet loss.
NOTE: RFC 5425 (TLS) only supports TCP.
Data to Send: Currently, Sysdig only supports sending policy events (events from Sysdig Secure).
Allow insecure connections: Toggle on if you want to allow insecure connections (i.e. invalid or self-signed certificate on the receiving side).
Click the
Savebutton to save the integration.